Here is my proposal for more semantic sugar.
It defines 3 new SSL* config directives:

- <SSLPolicy name> to define a set of SSL* directives under a name
- SSLPolicy merge the non-proxy parts of the policy into the
current server config. local directives will override
- SSLProxyPolicy merge the proxy parts of the policy into the current
server config. local directives will override
There are atm 3 predefined policies: modern, intermediate, old (from
https://wiki.mozilla.org/Security/Server_Side_TLS)
In order to apply them on TLS connections to the client, you configure
SSLPolicy modern
in your server config or in a specific vhost. To affect the backend proxy
connections, you may add:
SSLProxyPolicy intermediate
All settings beside a policy apply as usual. They do override policy values.
The order does not matter:
SSLPolicy modern
SSLProtocol SSLv3
is the same as
SSLProtocol SSLv3
SSLPolicy modern
When you define multiple policy uses in the same server, they are merged in the
reverse order
(or override each other in document order, e.g. last one wins):
SSLPolicy modern
SSLPolicy intermediate
will give you "intermediate" security settings, while
SSLPolicy intermediate
SSLPolicy modern
will give you "modern" ones.
You can override policies, so if someone wants to "hotfix" a policy, she can
write:
<SSLPolicy modern>
SSLPolicy modern
SSLCipherSuite "VERYHOTNEWONE"
</SSLPolicy>
or you expand a policy:
<SSLPolicy modern-on>
SSLPolicy modern
SSLEngine on
</SSLPolicy>
I hope this looks attractive to you. All bugs are mine. Let me know what you
think.
Cheers,
-Stefan